bcb4e51a409d94ae670de96afb8483a4f7855294Stephan Bosch/* Copyright (c) 2011-2018 Dovecot authors, see the included COPYING file */
bd63b5b860658b01b1f46f26d406e1e4a9dc019aTimo Sirainenconst char *doveadm_acl_plugin_version = DOVECOT_ABI_VERSION;
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainenvoid doveadm_acl_plugin_init(struct module *module);
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainencmd_acl_mailbox_open(struct doveadm_mail_cmd_context *ctx,
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen struct acl_user *auser = ACL_USER_CONTEXT(user);
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen i_error("ACL not enabled for %s", user->username);
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainen doveadm_mail_failed_error(ctx, MAIL_ERROR_NOTFOUND);
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen ns = mail_namespace_find(user->namespaces, mailbox);
4145cbac82bfc0c8bfeceeca0ef841700117930cTimo Sirainen MAILBOX_FLAG_READONLY | MAILBOX_FLAG_IGNORE_ACLS);
bf7dc750b95039981c0e9d728f313d50cf38a156Martti Rannanjärvi mailbox_get_last_internal_error(box, NULL));
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainenstatic void cmd_acl_get_right(const struct acl_rights *rights)
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen str_append(str, t_strarray_join(rights->rights, " "));
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen str_append(str, t_strarray_join(rights->neg_rights, " -"));
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainenstatic int cmd_acl_get_mailbox(struct doveadm_acl_cmd_context *ctx,
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen struct acl_object *aclobj = acl_mailbox_get_aclobj(box);
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen backend = acl_mailbox_list_get_backend(box->list);
37c72fa0cd3f1d74d79b64afb3fb6da5ffd4fe3aAki Tuomi while (acl_object_list_next(iter, &rights)) T_BEGIN {
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen acl_backend_rights_match_me(backend, &rights))
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainen doveadm_mail_failed_error(&ctx->ctx, MAIL_ERROR_TEMP);
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainencmd_acl_get_run(struct doveadm_mail_cmd_context *_ctx,
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainen if (cmd_acl_mailbox_open(_ctx, user, mailbox, &box) < 0)
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainenstatic bool cmd_acl_get_parse_arg(struct doveadm_mail_cmd_context *_ctx, int c)
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainenstatic void cmd_acl_get_init(struct doveadm_mail_cmd_context *ctx ATTR_UNUSED,
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen const char *const args[])
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen ctx = doveadm_mail_cmd_alloc(struct doveadm_acl_cmd_context);
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainencmd_acl_rights_run(struct doveadm_mail_cmd_context *ctx, struct mail_user *user)
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainen if (cmd_acl_mailbox_open(ctx, user, mailbox, &box) < 0)
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen if (acl_object_get_my_rights(aclobj, pool_datastack_create(),
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainen doveadm_mail_failed_error(ctx, MAIL_ERROR_TEMP);
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainenstatic void cmd_acl_rights_init(struct doveadm_mail_cmd_context *ctx ATTR_UNUSED,
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen const char *const args[])
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen ctx = doveadm_mail_cmd_alloc(struct doveadm_mail_cmd_context);
0dab9cb35a976c49b28a11e28d5570f5191f1a7aMartti Rannanjärvi t = mailbox_transaction_begin(box, MAILBOX_TRANSACTION_FLAG_EXTERNAL,
efa7704816f76574c0b1d196ebee20c4d80e1c62Timo Sirainencmd_acl_set_run(struct doveadm_mail_cmd_context *_ctx, struct mail_user *user)
efa7704816f76574c0b1d196ebee20c4d80e1c62Timo Sirainen const char *mailbox = _ctx->args[0], *id = _ctx->args[1];
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainen if (cmd_acl_mailbox_open(_ctx, user, mailbox, &box) < 0)
eb4d4f557fa75aa2a47639e9deb75a21f44eb42aTimo Sirainen if (acl_rights_update_import(&update, id, rights, &error) < 0)
eb4d4f557fa75aa2a47639e9deb75a21f44eb42aTimo Sirainen if ((ret = cmd_acl_mailbox_update(box, &update)) < 0) {
bf7dc750b95039981c0e9d728f313d50cf38a156Martti Rannanjärvi mailbox_get_last_internal_error(box, NULL));
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainen doveadm_mail_failed_error(_ctx, MAIL_ERROR_TEMP);
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainenstatic void cmd_acl_set_init(struct doveadm_mail_cmd_context *ctx ATTR_UNUSED,
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen const char *const args[])
efa7704816f76574c0b1d196ebee20c4d80e1c62Timo Sirainencmd_acl_change_alloc(enum acl_modify_mode modify_mode)
efa7704816f76574c0b1d196ebee20c4d80e1c62Timo Sirainen ctx = doveadm_mail_cmd_alloc(struct doveadm_acl_cmd_context);
efa7704816f76574c0b1d196ebee20c4d80e1c62Timo Sirainenstatic struct doveadm_mail_cmd_context *cmd_acl_set_alloc(void)
efa7704816f76574c0b1d196ebee20c4d80e1c62Timo Sirainen return cmd_acl_change_alloc(ACL_MODIFY_MODE_REPLACE);
efa7704816f76574c0b1d196ebee20c4d80e1c62Timo Sirainenstatic struct doveadm_mail_cmd_context *cmd_acl_add_alloc(void)
efa7704816f76574c0b1d196ebee20c4d80e1c62Timo Sirainen return cmd_acl_change_alloc(ACL_MODIFY_MODE_ADD);
efa7704816f76574c0b1d196ebee20c4d80e1c62Timo Sirainenstatic struct doveadm_mail_cmd_context *cmd_acl_remove_alloc(void)
efa7704816f76574c0b1d196ebee20c4d80e1c62Timo Sirainen return cmd_acl_change_alloc(ACL_MODIFY_MODE_REMOVE);
3aa600b8467f5cec0fd2e0a76c4815973ca61e1fTimo Sirainencmd_acl_delete_run(struct doveadm_mail_cmd_context *ctx, struct mail_user *user)
3aa600b8467f5cec0fd2e0a76c4815973ca61e1fTimo Sirainen const char *mailbox = ctx->args[0], *id = ctx->args[1];
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainen if (cmd_acl_mailbox_open(ctx, user, mailbox, &box) < 0)
eb4d4f557fa75aa2a47639e9deb75a21f44eb42aTimo Sirainen if (acl_rights_update_import(&update, id, NULL, &error) < 0)
eb4d4f557fa75aa2a47639e9deb75a21f44eb42aTimo Sirainen if ((ret = cmd_acl_mailbox_update(box, &update)) < 0) {
bf7dc750b95039981c0e9d728f313d50cf38a156Martti Rannanjärvi mailbox_get_last_internal_error(box, NULL));
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainen doveadm_mail_failed_error(ctx, MAIL_ERROR_TEMP);
3aa600b8467f5cec0fd2e0a76c4815973ca61e1fTimo Sirainenstatic void cmd_acl_delete_init(struct doveadm_mail_cmd_context *ctx ATTR_UNUSED,
3aa600b8467f5cec0fd2e0a76c4815973ca61e1fTimo Sirainen const char *const args[])
3aa600b8467f5cec0fd2e0a76c4815973ca61e1fTimo Sirainen ctx = doveadm_mail_cmd_alloc(struct doveadm_mail_cmd_context);
f6aaa31ebed57cbb3a44fa5b0b21e7dee0470fbaTimo Sirainencmd_acl_recalc_run(struct doveadm_mail_cmd_context *ctx, struct mail_user *user)
f6aaa31ebed57cbb3a44fa5b0b21e7dee0470fbaTimo Sirainen struct acl_user *auser = ACL_USER_CONTEXT(user);
f6aaa31ebed57cbb3a44fa5b0b21e7dee0470fbaTimo Sirainen i_error("ACL not enabled for %s", user->username);
f6aaa31ebed57cbb3a44fa5b0b21e7dee0470fbaTimo Sirainen doveadm_mail_failed_error(ctx, MAIL_ERROR_NOTFOUND);
f6aaa31ebed57cbb3a44fa5b0b21e7dee0470fbaTimo Sirainen if (acl_lookup_dict_rebuild(auser->acl_lookup_dict) < 0) {
f6aaa31ebed57cbb3a44fa5b0b21e7dee0470fbaTimo Sirainen doveadm_mail_failed_error(ctx, MAIL_ERROR_TEMP);
f6aaa31ebed57cbb3a44fa5b0b21e7dee0470fbaTimo Sirainen ctx = doveadm_mail_cmd_alloc(struct doveadm_mail_cmd_context);
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainencmd_acl_debug_mailbox_open(struct doveadm_mail_cmd_context *ctx,
88a4bd48b03c451596414c16f72c0f4cc31b4745Aki Tuomi struct acl_user *auser = ACL_USER_CONTEXT_REQUIRE(user);
737561538a2dcdcda948a1da2830a612d8263a23Timo Sirainen ns = mail_namespace_find(user->namespaces, mailbox);
4145cbac82bfc0c8bfeceeca0ef841700117930cTimo Sirainen MAILBOX_FLAG_READONLY | MAILBOX_FLAG_IGNORE_ACLS);
bf7dc750b95039981c0e9d728f313d50cf38a156Martti Rannanjärvi errstr = mail_storage_get_last_internal_error(box->storage, &error);
9fc97c8aa8190df87624d214bcc5d0b5362bec93Timo Sirainen mailbox_get_path_to(box, MAILBOX_LIST_PATH_TYPE_MAILBOX,
376ed81e5532835eea0e31002d7298843c335b12Timo Sirainen i_error("Can't open mailbox %s: %s", mailbox, errstr);
02076e06658a2f1ee2d6bb76944dc1b5d12e1d7dTimo Sirainen i_error("Mailbox '%s' in namespace '%s' doesn't exist in %s",
376ed81e5532835eea0e31002d7298843c335b12Timo Sirainen i_info("ACL not enabled for user %s, mailbox can be accessed",
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainen doveadm_mail_failed_error(ctx, MAIL_ERROR_NOTFOUND);
6bd9ffc5d782e160c8542d53b26864ed973c8f66Timo Sirainenstatic bool cmd_acl_debug_mailbox(struct mailbox *box, bool *retry_r)
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen struct mail_namespace *ns = mailbox_get_namespace(box);
88a4bd48b03c451596414c16f72c0f4cc31b4745Aki Tuomi struct acl_user *auser = ACL_USER_CONTEXT_REQUIRE(ns->user);
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen struct acl_object *aclobj = acl_mailbox_get_aclobj(box);
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen struct acl_backend *backend = acl_mailbox_list_get_backend(box->list);
02076e06658a2f1ee2d6bb76944dc1b5d12e1d7dTimo Sirainen if (mailbox_get_path_to(box, MAILBOX_LIST_PATH_TYPE_MAILBOX, &path) > 0)
7b39597853fc030086b5237169e677173f9aab62Timo Sirainen private_flags_mask = mailbox_get_private_flags_mask(box);
facd0971af3c905a3838ba14abc5682f285c9464Timo Sirainen i_info("All message flags are shared across users in mailbox");
7b39597853fc030086b5237169e677173f9aab62Timo Sirainen imap_write_flags(str, private_flags_mask, NULL);
facd0971af3c905a3838ba14abc5682f285c9464Timo Sirainen i_info("Per-user private flags in mailbox: %s", str_c(str));
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen /* check if user has lookup right */
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen if (acl_object_get_my_rights(aclobj, pool_datastack_create(),
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen i_info("User %s has no rights for mailbox", ns->user->username);
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen ns->user->username, t_strarray_join(rights, " "));
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen if (!str_array_find(rights, MAIL_ACL_LOOKUP)) {
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen /* check if mailbox is listable */
3e0bae44b65f5c46989fcef3d1e07203f496327eTimo Sirainen if (ns->type == MAIL_NAMESPACE_TYPE_PRIVATE) {
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen i_info("Mailbox in user's private namespace");
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen iter = acl_backend_nonowner_lookups_iter_init(backend);
37c72fa0cd3f1d74d79b64afb3fb6da5ffd4fe3aAki Tuomi while (acl_backend_nonowner_lookups_iter_next(iter, &name)) {
37c72fa0cd3f1d74d79b64afb3fb6da5ffd4fe3aAki Tuomi if ((ret = acl_backend_nonowner_lookups_iter_deinit(&iter))<0)
6bd9ffc5d782e160c8542d53b26864ed973c8f66Timo Sirainen i_error("Mailbox not found from dovecot-acl-list, rebuilding");
6bd9ffc5d782e160c8542d53b26864ed973c8f66Timo Sirainen if (acl_backend_nonowner_lookups_rebuild(backend) < 0)
6bd9ffc5d782e160c8542d53b26864ed973c8f66Timo Sirainen i_fatal("dovecot-acl-list rebuilding failed");
6bd9ffc5d782e160c8542d53b26864ed973c8f66Timo Sirainen i_info("Mailbox found from dovecot-acl-list");
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen if (!acl_lookup_dict_is_enabled(auser->acl_lookup_dict)) {
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen /* shared namespace. see if it's in acl lookup dict */
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen diter = acl_lookup_dict_iterate_visible_init(auser->acl_lookup_dict);
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen while ((name = acl_lookup_dict_iterate_visible_next(diter)) != NULL) {
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen if (acl_lookup_dict_iterate_visible_deinit(&diter) < 0)
6bd9ffc5d782e160c8542d53b26864ed973c8f66Timo Sirainen i_error("User %s not found from ACL shared dict, rebuilding",
6bd9ffc5d782e160c8542d53b26864ed973c8f66Timo Sirainen if (acl_lookup_dict_rebuild(auser->acl_lookup_dict) < 0)
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainencmd_acl_debug_run(struct doveadm_mail_cmd_context *ctx, struct mail_user *user)
5fbccc935e3f7b916aa7c6e302a212821072e83aTimo Sirainen if (cmd_acl_debug_mailbox_open(ctx, user, mailbox, &box) < 0)
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen i_info("Mailbox %s is visible in LIST", box->vname);
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen i_info("Mailbox %s is NOT visible in LIST", box->vname);
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainenstatic void cmd_acl_debug_init(struct doveadm_mail_cmd_context *ctx ATTR_UNUSED,
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen const char *const args[])
7c598f384223a1364e8040c1e2a4cad8d00edde6Timo Sirainen ctx = doveadm_mail_cmd_alloc(struct doveadm_mail_cmd_context);
57a2881cb841fdfeb0631f8065070bbc547d4618Aki Tuomi .usage = DOVEADM_CMD_MAIL_USAGE_PREFIX "[-m] <mailbox>",
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('m', "match-me", CMD_PARAM_BOOL, 0)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "mailbox", CMD_PARAM_STR, CMD_PARAM_FLAG_POSITIONAL)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki Tuomi .usage = DOVEADM_CMD_MAIL_USAGE_PREFIX "<mailbox>",
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "mailbox", CMD_PARAM_STR, CMD_PARAM_FLAG_POSITIONAL)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki Tuomi .usage = DOVEADM_CMD_MAIL_USAGE_PREFIX "<mailbox> <id> <right> [<right> ...]",
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "mailbox", CMD_PARAM_STR, CMD_PARAM_FLAG_POSITIONAL)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "id", CMD_PARAM_STR, CMD_PARAM_FLAG_POSITIONAL)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "right", CMD_PARAM_ARRAY, CMD_PARAM_FLAG_POSITIONAL)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki Tuomi .usage = DOVEADM_CMD_MAIL_USAGE_PREFIX "<mailbox> <id> <right> [<right> ...]",
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "mailbox", CMD_PARAM_STR, CMD_PARAM_FLAG_POSITIONAL)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "id", CMD_PARAM_STR, CMD_PARAM_FLAG_POSITIONAL)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "right", CMD_PARAM_ARRAY, CMD_PARAM_FLAG_POSITIONAL)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki Tuomi .usage = DOVEADM_CMD_MAIL_USAGE_PREFIX "<mailbox> <id> <right> [<right> ...]",
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "mailbox", CMD_PARAM_STR, CMD_PARAM_FLAG_POSITIONAL)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "id", CMD_PARAM_STR, CMD_PARAM_FLAG_POSITIONAL)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "right", CMD_PARAM_ARRAY, CMD_PARAM_FLAG_POSITIONAL)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki Tuomi .usage = DOVEADM_CMD_MAIL_USAGE_PREFIX "<mailbox> <id>",
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "mailbox", CMD_PARAM_STR, CMD_PARAM_FLAG_POSITIONAL)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "id", CMD_PARAM_STR, CMD_PARAM_FLAG_POSITIONAL)
57a2881cb841fdfeb0631f8065070bbc547d4618Aki Tuomi .usage = DOVEADM_CMD_MAIL_USAGE_PREFIX "<mailbox>",
57a2881cb841fdfeb0631f8065070bbc547d4618Aki TuomiDOVEADM_CMD_PARAM('\0', "mailbox", CMD_PARAM_STR, CMD_PARAM_FLAG_POSITIONAL)
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainenvoid doveadm_acl_plugin_init(struct module *module ATTR_UNUSED)
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen unsigned int i;
7d8afd1e15bdf23b5fd13aa9ac9606aca2797125Timo Sirainen for (i = 0; i < N_ELEMENTS(acl_commands); i++)